In two weeks time, I will have to test a couple of computers that a client would like to provide to its employees. The main concern is making sure that the employees won't be able to use those computers for anything that isn't actually allowed.

I won't have any information on these computers until I get there, but I can think of some measures that are probably likely to be implemented:

No CD/DVD drive

Disabled USB ports

No Internet access (not sure if the machines will or won't have a network card)

Now, the first thing that popped into my mind was trying to use a live CD and see if I will be able to bypass some of the measures, but since I never did a test like this one...

4 Answers
4

Depending on what sort of threats your client is worried about, there are different things you will want to test.

If they're worried about end-users obtaining or abusing unauthorized elevated privileges on the machine, you should look for ways to obtain or modify the Administrator password on the system. The easiest ways to do this generally involve booting the system from alternative media.

First, try simply inserting a bootable CD or USB drive and see if it loads.

If that doesn't work, try accessing the system's boot menu (if it has one) to force selection of the boot media.

If that doesn't work, try accessing the BIOS to change the default boot order yourself. Also, use this opportunity to verify that the CD drive(s) and/or USB port(s) are actually enabled - and enable them, if not.

If the BIOS configuration or boot order is password-protected, there's probably a way to reset this via a jumper on the motherboard. Look that up and try it.

Once you've loaded the system with your own boot disc/drive, see if you can read the HDD. If you can, you should be able to discover or change the passwords on any local account (including the built-in Administrator) with the right tools. After that, the system is effectively pwned.

Alternative methods of privilege escalation involve client-side exploits. You may want to try this if you can't boot to alternate media, or cannot read the HDD after an alternate media boot, or if you'd like to cover this territory in addition to those tests. To check for these, you will at minimum want access to a Limited User account on the system. Then, use tools like Metasploit and/or Nessus (and, failing those, Google) to discover and test vulnerabilities you might be able to leverage to upgrade your Limited User's access. Here, you'll also want to check how the system handles AutoPlay/AutoRun functions for removable media.

If the client is more worried about data theft, I'd test the system for susceptibility to network-based exploits just as if you didn't have physical access. Once done with that, you could also just pull the HDD and see what you can read off it from another system.

Regarding defense against physical attack vectors, here's a few other threads you may want to read:

The main thing to understand is that your client is trying to solve an impossible problem. Trying to prevent someone with physical access to the machine from accessing it is like trying to make water not wet. It ain't gonna work.

If you want to do the best that you can, you can take the steps you mention, and I also suggest you research "kiosk mode". But fundamentally, it will still be relatively easy for employees to use the computers for activities your client doesn't like. It will be as easy as inserting a Linux LiveCD, or a gazillion other methods. You're never going to close them all (not and leave the employees with a useful computer), and realistically speaking, you're not even going to be able to make it terribly difficult to defeat the security measures.

So I would argue that there are two important takeaways: (1) keep your expectations low; there is only so much that technical methods can provide, so don't waste too much time or energy trying to invent a foolproof defense, (2) this is primarily a matter for policy and social methods, rather than technical methods -- for instance, your client might want to adopt and promulgate a clear company policy regarding acceptable use of company computers, and be explicit about the penalty for violations.

@Paul: I will be doing this test with a senior consultant, I've started working in IT security just a month ago. Even if my co-worker will know what to do, I still wanted to get there with some thoughts on the matter.
–
GurzoDec 3 '11 at 11:11

@D.W. No affiliation whatsoever. I was just throwing out ideas. I work for the gov.
–
Paul AckermanDec 5 '11 at 15:44